All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

F5 Firepass not showing events from built-in searches

remy06
Contributor
‎08-02-2010 07:32 AM

Hi,

I've Firepass sending logs to splunk server via udp 514. I've also installed F5 app but none of the built-in searches seems to display any events captured. (eg. F5 FirePass Connections by User)

Is there any thing wrong with the built-in searches?

How can I get it to show up under F5 app?

I also have linux servers sending via 514 and sourcetype as syslog. Thus when Firepass logs came in it is under syslog as well. How do I set its own "sourcetype = firepass" for example?

Thanks in advance.

0 Karma
Reply

jtf5splunk
New Member
‎01-27-2011 02:35 AM

If FirePass is the only source for udp:514 then you can specify the following in props.conf and restart the splunk server.

[source::udp:514]
sourcetype=firepass_log

If more sources are sending syslog to udp:514 then you can use regular expression to transform the sourcetype using FirePass's ip address (e.g., 192.168.1.253).

in transforms.conf add the following:

[firepass_sourcetyper]
DEST_KEY = MetaData:Sourcetype
REGEX = (?:192\.168\.1\.253)
FORMAT = sourcetype::firepass_log

in props.conf add the following:

[source::udp:514]
TRANSFORMS-firepasssoucetype = firepass_sourcetyper

Restart the splunk server. Hope this helps.

0 Karma
Reply

dooshiant
New Member
‎03-12-2012 05:54 AM

Hello,

I have edited transforms.conf and props.conf, but most of my data is not showing up in the F5 Access Dashboard.
For example I can only see 4 or 5 users in the Connections by User in the last 24 hours chart, but on the firepass, it shows that there was over a 100 connected in the same timeframe..

Thanks in advance

0 Karma
Reply
Get Updates on the Splunk Community!

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...